Kentucky joins the growing list of U.S. states to pass a comprehensive consumer data privacy law with the Kentucky Consumer Data Protection Act (KCDPA).
The KCDPA is similar to other U.S. state-level privacy laws but differs in that it doesn’t have any monetary thresholds for its legal scope but does outline data collection limits.
In this guide, I’ll walk you through all you need to know about the KCDPA, including what it requires, who it protects, and how it impacts consumers and businesses.
- What Is the Kentucky Consumer Data Protection Act (KCDPA)?
- KCDPA Key Terms and Definitions
- What Does the Kentucky Consumer Data Protection Act Cover?
- Requirements of the Kentucky Consumer Data Protection Act
- Kentucky Consumer Data Protection Act vs. Other States: Similarities and Differences
- How Will Consumers Be Impacted by the KCDPA?
- Who Does the KCDPA Apply To?
- How Will Businesses Be Impacted by the KCDPA?
- Who Must Comply With Kentucky’s New Data Privacy Law?
- How Can Businesses Prepare for the KCDPA?
- How Will the KCDPA Be Enforced?
- Fines and Penalties Under the Kentucky Consumer Data Protection Act
- How Will Termly Help with KCDPA Compliance?
- Are There Other Privacy Related Laws in Kentucky?
- Summary
What Is the Kentucky Consumer Data Protection Act (KCDPA)?
The Kentucky Consumer Data Protection Act is the first comprehensive consumer data privacy law in the state and the 15th in the U.S.
Its purpose is to give Kentucky residents more control over how their personal information is collected, processed, and used online.
It also outlines guidelines and requirements for businesses that use this information and describes the penalties for violating the law.
KCDPA Effective Date
The KCDPA goes into effect on January 1, 2026.
KCDPA Key Terms and Definitions
Below are several key terms in the KCDPA defined as they appear in the text of the law:
These terms are used throughout this guide in line with the KCDPA’s definitions.
What Does the Kentucky Consumer Data Protection Act Cover?
Kentucky’s new data privacy law covers the personal data of residents of Kentucky, but it excludes:
- Protected health information under the Health Insurance Portability and Accountability Act (HIPAA)
- Health records
- Patient identifying records
- Identifiable private information for purposes of the federal policy for the protection of human subjects under 45 C.F.R. pt. 46
- Information and documents created for purposes of the federal Health Care Quality Improvement Act of 1986
- Patient safety work product for purposes of the federal Patient Safety and Quality Improvement Act
Requirements of the Kentucky Consumer Data Protection Act
Now, I’ll walk through some main requirements businesses must follow under the KCDPA.
Lawful Processing of Personal Information
Under the KCDPA, controllers must limit data collection only to what is adequate, relevant, and reasonably necessary to achieve the purposes for which the data is processed as disclosed to the consumer.
To process data beyond this scope, you must obtain consent from users.
Consent is also required to collect sensitive personal information from Kentucky consumers or data from known children.
Consent
Consent under Kentucky’s new data privacy law is defined as an affirmative, clear act signifying a consumer’s freely given, specific, informed, and unambiguous agreement and may include:
- A written statement
- An electronic statement
- Any other unambiguous action
Authenticated Consumer Requests
Under the KCDPA, covered businesses are required to present consumers with one or more ways to submit authenticated consumer requests to follow through on their privacy rights.
Controllers must respond to the requests within 45 days, which may be extended by another 45 days, depending on the complexity and number of requests.
The information responding to a consumer request must be free of charge up to twice annually.
However, a reasonable fee covering administrative costs may be charged to the consumer if the requests are excessive, repetitive, technically infeasible, or manifestly unfounded.
Contractual Obligations Between Controllers and Processors
The KCDPA requires controllers and processors to both sign a contract that outlines the following obligations to lawfully collect and process personal data:
- Set forth clear instructions for processing the personal data, its nature and purpose, the type of data subject to processing, the processing duration, and both parties’ rights.
- Ensure each party is subject to a duty of confidentiality regarding the personal data.
- Require the processor to delete or return all personal data to the controller upon request unless retention is required by law.
- Require the processor to cooperate with reasonable assessments by the controller or a designated assessor to conduct assessments of the processor’s policies.
- Require the processor to make all information in their possession available to the controller to demonstrate compliance with the KCDPA.
- Require any subcontractors to sign a contract outlining the same requirements.
Data Protection Impact Assessments
The KCDPA requires controllers to conduct and document data protection impact assessments to partake in the following processing activities:
- Processing data for targeted advertising
- Selling personal data
- Processing data for the purposes of profiling
- Processing sensitive personal data
- Processing data that presents a heightened risk of harm to the consumer
The assessment must identify and weigh the benefits of data processing against the possible risks of harming the controller.
A single assessment may be used if it addresses other laws with reasonably comparable scopes and effects as the KCDPA.
Data Security Requirements
Controllers under Kentucky’s new privacy law must establish, implement, and maintain reasonable administrative, technical, and physical data security measures to protect the confidentiality, integrity, and accessibility of the information.
The security measures must be appropriate to the volume and nature of the personal data a business collects.
Kentucky Consumer Data Protection Act vs. Other States: Similarities and Differences
Several other privacy laws exist at the state level in the U.S., including the following:
- California Consumer Protection Act (CCPA), as amended by the California Privacy Rights Act (CPRA) — currently in force
- Colorado Privacy Act (CPA) — currently in force
- Connecticut Data Privacy Act (CTDPA) — currently in force
- Delaware Personal Data Privacy Act (DPDPA) — effective Jan. 1, 2025
- Florida Digital Bill of Rights (FDBR) — effective July 1, 2024
- Indiana Consumer Data Protection Act (Indiana CDPA) — effective Jan. 1, 2026
- Iowa Consumer Data Protection Act (Iowa CDPA) — effective Jan. 1, 2025
- Montana Consumer Data Privacy Act (MCDPA) — effective Oct. 1, 2024
- Maryland Online Data Privacy Act (MODPA) — effective Oct. 1, 2025
- New Hampshire Data Privacy Law (NHDPL) — effective Jan. 1, 2025
- New Jersey Data Privacy Act (NJDPA) — effective Jan. 15, 2025
- Oregon Consumer Privacy Act (OCPA) — effective July 1, 2024
- Tennessee Information Protection Act (TIPA) — effective July 1, 2025
- Texas Data Privacy and Security Act (TDPSA) — effective July 1, 2024
- Utah Consumer Privacy Act (UCPA) — currently in force
- Virginia Consumer Data Protection Act (VCDPA) — currently in force
Compare Kentucky’s privacy law to these other pieces of privacy legislation in the table below.
| State Law | Opt-in consent for certain types of data processing | Opt-out consent for certain types of data processing | Must present users with a privacy policy (or notice) | Requires Data Protection Assessments | Outlines Contractual Obligation with Third-Party Processors | Allows for civil lawsuits or private right of action | Must honor Global Privacy Controls/browser privacy settings |
| KCDPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| CCPA/CPRA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| CPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| CTDPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| DPDPA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| FDBR | ✓ | ✓ | ✓ | ✓ | |||
| Indiana CDPA | ✓ | ✓ | ✓ | ✓ | |||
| Iowa CDPA | ✓ | ✓ | ✓ | ||||
| MCDPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| MODPA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| NHDPL | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| NJDPA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| OCPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| TIPA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| TDPSA | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| UCPA | ✓ | ✓ | ✓ | ||||
| VCDPA | ✓ | ✓ | ✓ | ✓ |
How Will Consumers Be Impacted by the KCDPA?
Kentucky’s new data privacy law impacts consumers by granting them the following rights:
-
- Confirm if a controller is processing their personal data
- Access the personal data collected about them
- Correct inaccuracies in their personal data
- Delete their personal data
- Obtain a portable copy of their data when technically feasible
- Opt-out of targeted advertising
- Opt-out of the sale of personal data
- Opt-out of profiling in furtherance of decisions that produce legal or similarly significant effects
Who Does the KCDPA Apply To?
The KCDPA applies to residents of Kentucky acting in an individual context.
It does not apply to anyone in the state acting in a commercial or employment context.
How Will Businesses Be Impacted by the KCDPA?
Along with the requirements mentioned previously in this guide, the KCDPA also impacts businesses’ privacy and cookie policies.
How Will the KCDPA Affect My Privacy Policy?
The KCDPA requires controllers to present consumers with a reasonably accessible, clear, and meaningful privacy notice that includes the following details:
- The categories of personal data processed by the controllers
- The purpose of the processing
- How consumers can exercise their rights and details about how they can appeal a controller’s decision regarding a request
- The categories of personal data the controller shares with third parties
- The categories of the third parties themselves
- If the controller sells personal data to third parties or processes data for targeted advertising
- Details about how the consumer can exercise their right to opt out of such processing
In your privacy policy, you must also establish and describe one or more secure, reliable ways for consumers to submit requests to act on their rights.
How Will the KCDPA Affect My Cookie Policy?
The KCDPA affects cookie policies because consumers under this law have the right to opt out of targeted advertising and the sale of their data, which can be done by deploying cookies on users’ browsers.
You must ensure your cookie policy is accurate and up-to-date and present it to users following the notification guidelines outlined by the law.
Consider including a clause in your privacy policy explaining how you use cookies or other trackers and adding a live link to your cookie policy.
Who Must Comply With Kentucky’s New Data Privacy Law?
Your business must comply with the KCDPA if you conduct business in or target products and services at residents of the state and meet one of the following during a calendar year:
- Processes and controls the personal data of at least 100,000 consumers or
- Processes and controls the personal data of at least 25,000 consumers and earns 50% of gross annual revenue from the sale of personal data.
Unlike many other U.S. state privacy laws, Kentucky doesn’t outline a monetary threshold.
Who Is Exempt From the KCDPA?
The following entities are exempt from the requirements of the KCDPA:
- City and state political entities
- Financial institutions subject to Title V of the Gramm-Leach-Bliley Act (GLBA)
- Covered entities governed by the United States Department of Health and Human Services and the Health Insurance Portability and Accountability Act (HIPAA)
- Nonprofits
- Institutions of higher education
- Law enforcement agencies in connection with suspected insurance-related criminal or fraudulent acts
- First responders in connection with catastrophic events
- Small telephone utilities
How Can Businesses Prepare for the KCDPA?
To prepare for the KCDPA, businesses should plan to update their privacy policy to meet all notification requirements outlined by the new law.
Ensure your cookie policy is also up to date, especially if you sell data collected through cookies, use cookies to perform targeted advertising, or collect sensitive information.
Give your users one or more ways to follow through on their rights, like providing them with a consent banner and a Data Subject Access Request (DSAR) form.
Perform data protection impact assessments as necessary.
Finally, use compliant contracts with any data processors you work with.
How Will the KCDPA Be Enforced?
The Attorney General has the exclusive authority to enforce violations of the KCDPA.
A written notice of the alleged violations will be provided to the controller or processor, and they’ll have 30 days to cure the violation and send a written notice back.
Failure to do so adequately will result in fines.
Fines and Penalties Under the Kentucky Consumer Data Protection Act
Fines for violating the KCDPA can be as high as $7,500 per incident.
Consumers do not have a private right of action under this law.
How Will Termly Help with KCDPA Compliance?
Termly will help simplify compliance with laws like the KCDPA by ensuring our privacy policy generator includes all necessary clauses outlined by the law before it enters into force.
Our generator asks simple questions about your business and its data processing activities, then makes a unique, comprehensive policy based on your answers.
We also provide a consent management platform (CMP) that can be configured to meet all opt-out requirements described in the KCDPA.
Are There Other Privacy Related Laws in Kentucky?
While the KCDPA is the first comprehensive consumer privacy protection law in the state, several other privacy-related laws exist in Kentucky, including the following:
- Chapter 365, Part 365.732 of the Kentucky Revised Statutes: Describes Kentucky’s data breach notification requirements.
- The Genetic Information Privacy Act: Gives consumers more control over how their genetic materials are collected, used, and disclosed by external entities.
- The Insurance Data Security Act: Requires insurance carriers to protect consumer data and conduct risk assessments.
Summary
Businesses that fall under the threshold of the Kentucky Consumer Data Protection Act have until January 1, 2025, to prepare for the requirements of this law, which include:
- Presenting users with a compliant privacy policy.
- Providing users with one or more ways to act on their rights, like a DSAR form and consent banner.
- Using compliant contracts with any data processors or subcontractors.
- Performing data protection impact assessments for various types of higher-risk data processing.
- Implementing proper security measures to protect data from unauthorized access or breaches.
Make compliance extra easy by using our Privacy Policy Generator and CMP to help you meet some of the requirements of the KCDPA.
More about the author
Written by Anokhy Desai CIPP/US, CIPT, CIPM
Anokhy is a privacy lawyer with prior experience in privacy and cybersecurity in the public and private sectors. As a former Westin Fellow at the IAPP, she published several articles, white papers, and infographics, and led, coordinated, and moderated webinars and panels, all regarding US privacy and privacy technology. Anokhy obtained her masters at Carnegie Mellon University and juris doctor at the University of Pittsburgh. More about the author
